CN115051836B - SDN-based APT attack dynamic defense method and system - Google Patents

Abstract

The invention provides an APT attack dynamic defense method and system based on SDN. The method is provided with three defense layers, and the three defense layers are respectively arranged from a shallow layer to a deep layer in sequence: IPS and honey pot cooperative defense layer, deception space defense layer and dynamic defense layer; in the IPS and honey pot cooperative defense layer, the IPS filters attack data through attack feature matching, attracts the attack data to a honey pot host for the honey pot host to collect the attack features and send the attack features to a data processing center for analysis and learning, and the data processing center feeds back analysis and learning results to the IPS; in the deception space defense layer, utilizing a complex topological structure and deception host space to perform secondary blocking and early warning on attack data bypassing the IPS and honey pot cooperative defense layer; in the dynamic defense layer, dynamic IP jump strategy based on SDN dynamically distributes IP addresses of the internal network so that an attacker entering the internal network after bypassing the spoofed space defense layer cannot find a target server.

Description

SDN-based APT attack dynamic defense method and system

Technical Field

The invention relates to the technical field of network security, in particular to an APT attack dynamic defense method and system based on SDN.

Background

Advanced persistent threat (Advanced Persistent Threat, APT) refers to persistent and effective attack activity of an organization on a specific object, and is characterized by high concealment and high pertinence. Traditional defense means such as antivirus software, a firewall, intrusion detection and the like cannot effectively resist APT attacks. In recent years, the times of APT attacks suffered by the fields of government, finance and the like in China are continuously increased, and the defense system aiming at the APT attacks at present mostly depends on a large amount of resource consumption so as to support the defense capability, so that the defense effect is poor, and the user experience is not ideal.

Disclosure of Invention

In order to improve the defending effect of a defending system for APT attacks, the invention provides an APT attack dynamic defending method and system based on SDN.

In a first aspect, the present invention provides an APT attack dynamic defense method based on SDN, which is provided with three defense layers, and the three layers are respectively: IPS and honey pot cooperative defense layer, deception space defense layer and dynamic defense layer;

in the IPS and honey pot cooperative defense layer, the IPS filters attack data through attack feature matching, attracts the attack data to a honey pot host for the honey pot host to collect the attack features and send the attack features to a data processing center for analysis and learning, and the data processing center feeds back analysis and learning results to the IPS;

In the deception space defense layer, utilizing a complex topological structure and deception host space to perform secondary blocking and early warning on attack data bypassing the IPS and honey pot cooperative defense layer;

in the dynamic defense layer, dynamic IP jump strategy based on SDN dynamically distributes IP addresses of the internal network so that an attacker entering the internal network after bypassing the spoofed space defense layer cannot find a target server.

Further, in the dynamic defense layer, if the attacker finds the target server, the software and hardware platform of the target server is reconfigured by using a dynamic platform policy based on state migration, so that the attacker cannot perform target stealing operation.

Further, in the dynamic defense layer, if the attacker bypasses the dynamic IP hopping policy based on SDN and the dynamic platform policy based on state migration, the dynamic data policy based on encryption storage is used to encrypt and store important data in the target server, and the data encryption key is dynamically updated, so that the attacker cannot decrypt and obtain real data information after stealing the target data.

Further, the attack level of an attacker is judged by using an SDN-based control center, and then the self-adaptive jump among the SDN-based dynamic IP jump strategy, the state migration-based dynamic platform strategy and the encrypted storage-based dynamic data strategy is realized by using a sliding window-based self-adaptive defense strategy.

Further, the dynamic IP hopping policy based on SDN specifically includes:

after the external network user enters the firewall, the external network access data is sent to a control host in the control layer through an OF switch in the forwarding layer;

the control host converts the external network access data forwarded by the OF switch according to a southbound interface OpenFlow protocol;

processing and analyzing the converted data stream content by using a stream processing module in a control layer, wherein the processing and analyzing specifically comprises the following steps: inquiring a source IP address and a destination IP address of the external network access data according to the data stream content, and accessing a dynamic processing module in a control layer based on a dynamic host configuration protocol;

the method comprises the steps of inquiring and modifying the source IP address and the destination IP address of the external network access data by using a dynamic processing module, and specifically comprises the following steps: changing the source IP and the destination IP address of the access data of the external network into the source IP address and the destination IP address in the internal network of the accessed system, and storing the modified content in an information storage module in the control layer; inquiring whether a target host corresponding to a source IP address and a destination IP address exists in the intranet, and if so, executing the subsequent steps; otherwise, selecting two unassigned or occupied virtual IP addresses from the address pool SA, assigning the two virtual IP addresses to an intranet host, and executing subsequent steps;

The SDN control center sends the data packet back to the accessed system, and the OF exchanger flows according to the configured path and reaches the target host;

in the process of executing the steps, continuously checking the time stamp of the Data group in the liveList by using a dynamic processing module, and if the time difference between the time stamp and the current moment is greater than or equal to a set jump period interval, carrying out dynamic jump on the IP address of the host corresponding to the Data group; wherein, a plurality of Data groups are stored in the liveList; the Data group is established after the first communication connection between the host and the server, and is used for adopting data= (RIP _src ,RIP _dst T) form storage of information of both communication parties; RIP (RIP) _src Representing source routing information, RIP _dst Representing destination routing information, T representing a timestamp;

and checking a specified duration in an 'idle_timeout' option in a flow table by using a dynamic processing module, deleting the flow table, terminating communication between a host and a server, and removing a corresponding Data group from a liveList if the time difference between the last referenced time of the flow table and the current time is greater than or equal to the specified duration.

Further, the dynamic platform policy based on state migration specifically includes:

Constructing a platform pool, wherein any two platforms in the platform pool are different in at least one platform attribute, and the platform attribute comprises an operating system and version thereof, a CPU architecture and a platform data format;

if the attack risk of the currently online platform A is detected, enabling the platform A to enter an offline state, and enabling the offline state platform to only process and complete the existing tasks on the platform without receiving new task requests;

selecting a platform B different from the platform A from the platform pool to be online to receive a new task request;

after the platform A in the off-line state completes the existing task, the platform A is subjected to reset processing.

Further, the dynamic data strategy based on encryption storage specifically comprises:

generating an encryption key by a dynamic key generation algorithm in a file storage server, encrypting a file M by an SM4 algorithm by using the encryption key to generate a ciphertext C, and storing the encryption key in a key management server;

when a file visitor sends a request for downloading a file M to a file storage server, the file storage server sends a corresponding ciphertext C to the file visitor together with the encryption key encrypted by the SM2 algorithm;

The document visitor needs to decrypt the encrypted encryption key, and then adopts the encryption key to decrypt the ciphertext C to obtain the document M.

Further, the adaptive defense strategy based on the sliding window specifically comprises:

step A1: calculating an attack intensity predicted value y of any time point i in the time window m by adopting a formula (1) _i ；

wherein ,w₁ ,w ₂ ,…,w _m Respectively represent the attack strength predicted value y at the corresponding time point _i-1 ,y _i-2 ,…,y _i-m Is a weighted weight of (2);

step A2: calculating a difference value between the attack intensity true value and the predicted value of the time point i, and comparing the difference value with a preset threshold value;

step A3: if the difference value is larger than a preset threshold value, an alarm is sent out to improve the defending grade, and the defending strategy is dynamically updated according to the defending grade; otherwise, the defense level remains unchanged;

step A4: the time window is updated and then the above steps A1 to A3 are performed in the new time window.

Further, the normal user accesses the server through the client according to the local area network security communication protocol based on SM3 and SM 4; the local area network security communication protocol based on SM3 and SM4 specifically comprises the following steps:

step B1: the client generates a first random number, hashes the first random number by adopting an SM3 algorithm to obtain a random number A, encrypts the random number A by using a first shared key and then sends the encrypted random number A to the server so that the server can decrypt the encrypted random number A by adopting the first shared key after receiving the encrypted random number A;

Step B2: the server generates a second random number, hashes the second random number by using an SM3 algorithm to obtain a random number B, takes the random number A, the random number B, a server identity and a time stamp as a first plaintext, digitally signs the first plaintext by using a private key corresponding to the server identity to obtain a first digital signature result, hashes the first digital signature result by using an SM3 algorithm to obtain a first hash value, encrypts the first plaintext, the first digital signature result, the first hash value, an identity certificate of the server and a public key corresponding to the server identity by using the first shared key, and then sends the encrypted first plaintext, the first hash value, the identity certificate of the server and the public key corresponding to the server identity to the client;

step B3: after receiving the encrypted data, the client decrypts the encrypted data by using the first shared secret key, then marks the first digital signature result by using the identity certificate of the server in the decrypted result and the public key corresponding to the server identity, hashes the digital signature result in the decrypted result by using an SM3 algorithm to obtain a second hash value, and compares whether the first hash value in the decrypted result is consistent with the second hash value to determine whether the encrypted data is transmitted in error or tampered with; then taking a random number A, a random number B, a client identity, a time stamp and key information PWA in a decryption result as a second plaintext, carrying out digital signature on the second plaintext to obtain a second digital signature result, carrying out hash processing on the second digital signature result by using an SM3 algorithm to obtain a third hash value, and then encrypting the second plaintext, the second digital signature result, the third hash value, an identity certificate of the client and a public key corresponding to a customer service identity by using the first shared key and then sending the encrypted second plaintext, the third hash value and the public key corresponding to the customer service identity to a server;

Step B4: after receiving the encrypted data, the server decrypts the encrypted data by using the first shared secret key, then uses the identity certificate of the client in the decrypted result and the public key corresponding to the identity of the client to check the second digital signature result, uses the SM3 algorithm to hash the second digital signature result in the decrypted result to obtain a fourth hash value, and compares whether the third hash value in the decrypted result is consistent with the fourth hash value to determine whether the encrypted data is transmitted in error or tampered with;

step B5: the server generates key information PWB, and generates a second shared key as a shared key used next time by using the key information PWA and the key information PWB according to a preset key generation mode and stores the second shared key into a database; the key information PWB, the user name ID of the client for accessing the server, is then used with the first shared key _{F_A} Sum password PW _A ' encrypting and then sending to the client;

step B6: after receiving the encrypted data, the client decrypts the encrypted data by using the first shared key, and uses the user name ID in the decryption result _{F_A} Sum password PW _A ' log in the server and interact with the server; the interactive data is encrypted and transmitted by an SM4 algorithm by adopting the first shared key; and generating a second shared key as a shared key for the next use according to a key generation mode agreed in advance by using the key information PWA and the key information PWB.

In a second aspect, the present invention provides an APT attack dynamic defense system based on SDN, including:

the IPS and honey cooperative defense unit is used for forming an IPS and honey cooperative defense layer for filtering attack data through matching of attack features in the IPS and honey cooperative defense layer, attracting the attack data to a honey host for the honey host to collect the attack features and sending the attack features to a data processing center for analysis and learning, and the data processing center feeds back analysis and learning results to the IPS;

the deception space defense unit is used for forming a deception space defense layer, and performing secondary blocking and early warning on attack data bypassing the IPS and honey tank cooperative defense layer by utilizing a complex topological structure and deception host space in the deception space defense layer;

a dynamic defense unit, configured to form a dynamic defense layer, where an IP address of an internal network is dynamically allocated based on a dynamic IP hopping policy of an SDN so that an attacker who bypasses the spoofed spatial defense layer and then enters the internal network cannot find a target server;

the defending layers formed by the three defending units are respectively from the shallow layer to the deep layer in sequence: IPS and honeypot co-defense, spoof spatial defense, and dynamic defense.

The invention has the beneficial effects that:

(1) For an attacker who does not obtain legal access rights of the server, the attacker cannot directly access the target server, and only needs to pass through 3-layer defense systems such as an IPS and honeypot cooperative defense layer, a spoofing space defense layer, a dynamic defense layer and the like to acquire sensitive data in the target server, so that the network attack defense capability of a defender is greatly improved.

(2) In a dynamic defense layer, in order to reduce the risk of a real host being attacked in the normal user access process, a dynamic IP jump strategy based on SDN is provided, network remodeling is carried out through an OpenFlow switch and opendayleight software, an IP address is dynamically allocated, and further dynamic jump of the IP address is realized. In an SDN network, all data flows passing through an OpenFlow switch are mainly subjected to forwarding decision by a controller, the data can be subjected to regulation check in the controller, and the data access is controlled according to a strategy, so that the network control flexibility is enhanced, and meanwhile, the network security is improved. In addition, as the forwarding layer and the control layer of the data in the switching equipment are mutually separated, the network protocol and the switching strategy are changed only by operating the control layer, so that the separation of software and hardware and the virtualization of the bottom hardware are realized, and a sustainable development operating environment is provided for a manager.

(3) In a dynamic defense layer, in order to further increase the attack cost of an attacker, a dynamic platform strategy based on state migration is provided, and by constructing a dynamic change or polymorphic virtual system operation platform, the platform migration probabilities corresponding to different defense strategies are also different from the migration of the platform, so that the platform attribute is dynamically changed, the change of the attack surface of the platform is realized, and the survivability of operation service on the platform is improved.

(4) In a dynamic defense layer, in order to solve the problem that data in a server is completely exposed in the field of view of an attacker after the attacker breaks out a previous file key in the prior art, a dynamic data strategy for encrypting and storing is also provided, an encryption key is generated by using a dynamic key generation algorithm, SM4 encryption is periodically carried out on plaintext data stored on a data server, dynamic storage change of the data is realized, and the security of the data on a server platform for a period of time is ensured.

(5) For the server, in order to ensure the security of the internal data, a powerful security defense strategy is necessarily adopted. However, due to the unequal resource consumption of the attacking and defending parties, the continuous implementation of the high-level defending strategy inevitably increases the defending cost of the defending parties, and under the condition that the available resources of the system are limited, the increase of the defending cost can lead to the reduction of the available resources of the user, so that the use experience of the user is seriously affected. Therefore, the invention provides a self-adaptive defense strategy selection method, different defense strategies are selected according to different network attack grades under the guidance of a gradient defense idea, different grades of defense responses are implemented, and the requirements of limited system resources and network defense tasks are balanced well. In the specific implementation mode, the optimal defense strategies required to be adopted for searching different attack intensities are mainly found according to the game theory, and the burden of the defense system on a host is reduced.

(6) In consideration of the fact that transmitted information is in a plaintext form in most communication protocols in the user communication process, and the risk of interception and tampering by an attacker exists, the invention also constructs a security communication protocol based on a commercial encryption algorithm, adopts an SM3 password hash algorithm and an SM4 public key password algorithm to carry out confidentiality and integrity protection on key communication data, and adopts an SM2 public key password algorithm to carry out signature and signature verification, so that the security of the communication data in the channel transmission process is effectively ensured, and the risk of sniffing private data is avoided.

Drawings

Fig. 1 is a flow frame diagram of an APT attack dynamic defense method based on SDN provided in an embodiment of the present invention;

FIG. 2 is a schematic diagram of a collaborative defense mechanism of IPS and honeypot provided by the embodiment of the invention;

fig. 3 is a schematic diagram of a collaborative defense flow of IPS and honeypots according to an embodiment of the present invention;

FIG. 4 is a schematic view of a spoofing space provided by an embodiment of the present invention;

fig. 5 is a schematic diagram of a dynamic IP hopping policy provided in an embodiment of the present invention;

FIG. 6 is a schematic diagram of a dynamic platform policy according to an embodiment of the present invention;

FIG. 7 is a schematic diagram of an encryption storage-based dynamic data policy according to an embodiment of the present invention;

Fig. 8 is a flow chart of a secure communication protocol according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Aiming at the dissymmetry of time, cost and the like of the network space attack and defense parties, particularly the problem of huge security threat caused by APT attack on the network space, the invention provides the following embodiments for reducing the dissymmetry advantage of an attacker in the attack and defense process and improving the network attack defending capability of the defender.

Example 1

As shown in fig. 1, an embodiment of the present invention provides an APT attack dynamic defense method based on SDN (Software Defined Network ), which is provided with three defense layers, and the three defense layers are respectively in turn from a shallow layer to a deep layer: IPS and honey pot cooperative defense layer, deception space defense layer and dynamic defense layer;

S101: in the IPS and honey pot cooperative defense layer, the IPS filters attack data through attack feature matching, attracts the attack data to a honey pot host for the honey pot host to collect the attack features and send the attack features to a data processing center for analysis and learning, and the data processing center feeds back analysis and learning results to the IPS;

in particular, the defense mechanism and process of the cooperative defense layer are shown in fig. 2 and 3. The layer is mainly used for defending general attack data, and firstly, most redundant general junk information and common viruses are filtered through attack feature matching by the IPS; then, the honey pot host is matched to induce an attacker to enter the honey pot host so as to play a role in early warning, the honey pot host can collect characteristics of the attacker and send the characteristics to the data processing center for analysis and learning, and the results are fed back to the IPS, so that cooperative defense of the IPS and the honey pot is realized, and the defending capability of the system is continuously improved.

As an implementation manner, the IPS can monitor the operation status of the network system through the software and hardware devices according to a certain security policy, so as to ensure confidentiality, integrity and availability of the network system resources. The trap honeypot attracts attacker access and attacks by deliberately setting holes, storing false information that the attacker sees as "valuable".

In the actual deployment process, the IPS and the trap type honeypot realize cooperative defense on network attacks mainly by means of a data processing center, the data processing center analyzes all attack data captured by the honeypot, and after the attack data features are mined and learned, the analyzed attack features are timely supplemented to an attack database of the IPS, so that the defense capacity of the whole system is improved.

In the specific application process, the IPS scans the operation characteristics of the user mainly based on the vulnerability database, directly screens out dangerous operation access and prevents the dangerous operation access. According to the role of honeypots in the defense system, trap honeypots with higher interaction degree are selected for decoy defense, an attacker is attracted to access the honeypots by running a real system with an invadeable vulnerability in the honeypots, and throughput of a honeypot network port is monitored in real time by installing data capture software Wireshark in a real host, so that characteristics of the attack are acquired.

In addition, since the honeypot is not of access value, any operation of accessing the honeypot can be regarded as attack, at the moment, the data processing center can receive attack data and send out early warning signals to the control center, and the dynamic defense system can adjust the defense level of the dynamic defense system according to the change of the attack intensity.

S102: in the deception space defense layer, utilizing a complex topological structure and deception host space to perform secondary blocking and early warning on attack data bypassing the IPS and honey pot cooperative defense layer;

specifically, the layer is mainly used for defending attack data bypassing the IPS and the honeypot, and secondary blocking and early warning are carried out on the attack data through a complex topological structure and a deception host space, so that a large amount of detection time of an attacker is consumed, and the effect of deferring attack is achieved.

As an implementation mode, in the specific implementation process, a notebook computer with an Ethernet card is adopted to construct a deception space, IP and MAC of a real host are submerged in a large amount of virtual data, meanwhile, in order to achieve the deception purpose and protect operation information of the real host as far as possible, a method for generating fake flow from a remote place is further adopted to realize network flow simulation, so that an attacker cannot perceive deception when analyzing the intranet flow, and deception quality is improved. The spoofing space constructed in accordance with an embodiment of the present invention is shown in fig. 4.

S103: in the dynamic defense layer, dynamically distributing the IP address of the internal network based on the dynamic IP jump strategy of SDN so that an attacker entering the internal network after bypassing the spoofed space defense layer cannot find a target server; if the attacker finds the target server, reconstructing a software and hardware platform of the target server by using a dynamic platform strategy based on state migration so that the attacker cannot perform target stealing operation; if the attacker bypasses the dynamic IP jump strategy based on SDN and the dynamic platform strategy based on state migration, the dynamic data strategy based on encryption storage is utilized to encrypt and store important data in the target server, and the data encryption key is dynamically updated so that the attacker cannot decrypt and obtain real data information after stealing the target data.

Specifically, the layer is mainly used for defending hidden attack data entering an intranet by bypassing a honey pot host and a spoofed space, firstly, the internal network is remolded by depending on a dynamic IP jump strategy based on SDN, and an IP address is dynamically allocated, so that the dynamic jump of the IP address is realized, and an attacker cannot accurately find a target server; for an attacker with stronger capability, after the attacker bypasses the dynamic IP jump strategy to find the target server, the dynamic platform strategy based on state migration is further started to dynamically reconstruct the software and hardware platform of the target server, and the specific system vulnerability exposure time is reduced by changing the target application running environment, so that the attacker is difficult to find out the specific structure of the system, and the attacker cannot effectively launch the attack to perform target stealing operation; for an attacker with strong capability, after bypassing the dynamic IP jump strategy and the dynamic platform strategy, the dynamic data strategy based on encryption storage is further started to encrypt and store important data in the target server, and the attacker cannot decrypt and obtain real information in the data after taking the data by dynamically updating the data encryption key. And 3 strategies of dynamic IP, dynamic platform and dynamic data are comprehensively utilized, so that an attacker cannot find, take and understand real data information.

As shown in fig. 5, as an implementation manner, the dynamic IP hopping policy based on SDN specifically includes:

s501: after the external network user enters the firewall, the external network access data is sent to a control host in the control layer through an OF switch in the forwarding layer;

s502: the control host converts the external network access data forwarded by the OF switch according to the southbound interface OpenFlow protocol, and converts the data packet which can only be processed by the switch into data content which can be provided for an upper control layer to process;

s503: processing and analyzing the converted data stream content by using a stream processing module in a control layer, wherein the processing and analyzing specifically comprises the following steps: inquiring a source IP address and a destination IP address of the external network access data according to the content of the data stream, and accessing a dynamic processing module in a control layer based on a dynamic host configuration protocol (Dynamic Host Configuration Protocol, DHCP);

s504: the method comprises the steps of inquiring and modifying the source IP address and the destination IP address of the external network access data by using a dynamic processing module, and specifically comprises the following steps: changing the source IP and the destination IP address of the data accessed by the external network (the source IP of the data packet is usually real and the destination IP is usually false) into the source IP address and the destination IP address in the internal network where the accessed system is located (the source IP of the data packet is usually false and the destination IP is usually real) and storing the modified content in an information storage module in a control layer;

S505: inquiring whether a target host corresponding to a source IP address and a destination IP address exists in the intranet, and if so, executing the subsequent steps; otherwise, selecting two unassigned or occupied virtual IP addresses from the address pool SA, assigning the two virtual IP addresses to an intranet host, and executing subsequent steps;

specifically, the host in the intranet where the accessed system is located is pre-allocated with two virtual addresses, and the two virtual addresses are stored in the control host in the form of hi= (RIP, IP) to maintain the mapping relationship of the host addresses. Therefore, the inquiry can be carried out in the intranet first, if the inquiry exists, the subsequent routing step is directly executed; if not, two virtual IP addresses are allocated for the host.

S506: the control host sends the data packet back to the accessed system, and the OF exchanger flows according to the configured path and reaches the target host;

s507: in the process of executing the steps S501 to S506, continuously checking the time stamp of the Data group in the liveList by using a dynamic processing module, and if the time difference between the time stamp and the current time is greater than or equal to the set jump period interval, dynamically jumping the IP address of the host corresponding to the Data group; wherein, a plurality of Data groups are stored in the liveList; the Data group is established after the first communication connection between the host and the server, and is used for adopting data= (RIP _src ,RIP _dst T) form storage of information of both communication parties; RIP (RIP) _src Representing source routing information, RIP _dst Represents destination routing information, and T represents a time stamp. RIP represents Routing Information Protocol, routing information protocol.

Meanwhile, a dynamic processing module is utilized to check the specified duration in the 'idle_timeout' option in the flow table, if the time difference between the last referenced time of the flow table and the current time is greater than or equal to the specified duration, the flow table is deleted, the communication between the host and the server is terminated, and the corresponding Data group is removed from the liveList.

As an implementation manner, the process of dynamically hopping the IP address specifically includes: the method comprises the steps of presetting an initial jump range of an IP address, then selecting an unassigned or occupied virtual IP address from an address pool SA, and dynamically assigning the virtual IP address to an intranet host according to the possible access frequency of the IP address so as to update HI.

As an implementation manner, the jump period is dynamically set, and the setting rule mainly follows a dynamic adjustment strategy of 'fast shortening and slow lifting', namely: when the control center detects the attack behavior, the dynamic processing module can quickly shorten the jump period and improve the active defense capacity of the network; and in the time when no attack is detected, the dynamic processing module slowly promotes the jump period and stably maintains the defensive ability of the module.

It should be noted that, the modules in the control layer mentioned above can be simply packaged by the northbound interface rest interface protocol, so as to facilitate the design and modification of the dynamic IP function by the user.

By using false IP and false MAC to replace the true IP and true MAC of the target client in the communication process, the dynamic IP hopping strategy can effectively prevent the APT attacker from reconnaissance of the target, thereby blocking the APT attack killing chain and improving the safety of intranet data.

Aiming at the problem that an attacker is more prone to acquiring the IP address OF the target host through scanning in the actual attack process so as to launch the attack, the dynamic processing module mainly uses false IP to replace the real IP OF the target host, performs matching and modification with a flow table at an access terminal (OF switch), and simultaneously adopts a cooperative processing mode to modify the IP and the MAC address in the same flow table.

As shown in fig. 6, as an implementation manner, the dynamic platform policy based on state migration specifically includes:

s601: constructing a platform pool, wherein any two platforms in the platform pool are different in at least one platform attribute, and the platform attribute comprises an operating system and version thereof, a CPU architecture and a platform data format;

S602: if the attack risk of the currently online platform A is detected, enabling the platform A to enter an offline state, and enabling the offline state platform to only process and complete the existing tasks on the platform without receiving new task requests;

s603: selecting a platform B different from the platform A from the platform pool to be online to receive a new task request;

s604: after the platform A in the off-line state completes the existing task, the platform A is subjected to reset processing, namely 'cleaning' the infected virus, and returns to the initial state.

Specifically, the dynamic platform refers to a specific implementation scheme of the mobile target defense at the platform level, and mainly refers to dynamic changes of the attributes of the software and hardware platform, including an operating system and its version, a CPU architecture, a platform data format and the like. Since the spread of viruses depends on the loopholes of the system, the working environments of different types of viruses are different. By constructing various operation platforms, the system is enabled to present uncertainty and dynamics by dynamically changing the environment of application operation, so that the time window of application exposure on a certain platform is shortened, and reconnaissance and mist are caused for an attacker, so that the attacker is difficult to find out the specific structure of the system, and effective attack is difficult to launch. For example, if the external network is mostly susceptible to viruses of the Windows platform, an online Linux system platform is selected, so that the viruses are prevented from infecting the internal network to the greatest extent.

The dynamic platform strategy dynamically changes the platform attribute by constructing a dynamic change or polymorphic virtual system operation platform, starting from the migration of the platform, the platform migration probabilities corresponding to different defense strategies are also different, and the change of the platform attack surface is realized, so that the attack cost of an attacker is increased, and the survivability of operation service on the platform is improved. And the node can be restored to the health state under the condition that the service borne by the system is not interrupted.

As shown in fig. 7, as an implementation manner, the dynamic data policy based on encryption storage specifically includes:

s701: generating an encryption key by a dynamic key generation algorithm in a file storage server, encrypting a file M by an SM4 algorithm by using the encryption key to generate a ciphertext C, and storing the encryption key in a key management server;

s702: when a file visitor sends a request for downloading a file M to a file storage server, the file storage server sends a corresponding ciphertext C to the file visitor together with the encryption key encrypted by the SM2 algorithm;

s703: the document visitor needs to decrypt the encrypted encryption key, and then adopts the encryption key to decrypt the ciphertext C to obtain the document M.

Specifically, dynamic data refers to dynamic changes in the format, syntax rules, coding scheme, and representation of application data, where the dynamization of data server access is also added to the changes in dynamic data. Since an attacker needs to maintain a network connection during the attack, when he downloads a file from a server, the whole file on the server is not downloaded, but data is downloaded periodically in consideration of abnormal traffic monitoring. In a conventional data server, when an attacker breaks out a previous file key, the data in the server is completely exposed to the attacker's field of view. In order to solve the technical problems, the dynamic data strategy based on encryption storage in the embodiment of the invention generates an encryption key by using a dynamic key generation algorithm, and then periodically encrypts plaintext data stored on a data server by SM4, thereby realizing dynamic storage change of the data, ensuring the security of the data on a server platform for a period of time, and further solving the technical problems.

Example 2

In the foregoing embodiment 1, three dynamic policies are adopted in the dynamic defense layer, so as to avoid huge resource consumption caused by jump between dynamic policies, and in the embodiment of the present invention, an adaptive defense policy based on a sliding window is further provided, based on attack strength, and based on an SDN control center, the attack level is determined, thereby implementing adaptive jump among the three policies of the dynamic IP jump policy based on SDN, the dynamic platform policy based on state migration, and the dynamic data policy based on encryption storage.

As an implementation manner, the adaptive defense strategy based on the sliding window specifically includes:

step A1: calculating an attack intensity predicted value y of any time point i in the time window m by adopting a formula (1) _i ；

wherein ,w₁ ,w ₂ ,…,w _m Respectively represent the attack strength predicted value y at the corresponding time point _i-1 ,y _i-2 ,…,y _i-m M is the size of the time window;

step A2: calculating a difference value between the attack intensity true value and the predicted value of the time point i, and comparing the difference value with a preset threshold value;

step A3: if the difference value is larger than a preset threshold value, an alarm is sent out to improve the defending grade, and the defending strategy is dynamically updated according to the defending grade; otherwise, the defense level remains unchanged;

specifically, the defending level can be divided into three levels of high, medium and low according to four dimensions such as network resources, host resources, cost and complexity, when the difference between the actual attack intensity value and the predicted attack intensity value is greater than a set threshold value, the defending level is improved, and the time sequence corresponding to the abnormal constant value is excluded from the predicted sampling sequence.

Step A4: updating the time window, and executing the steps A1 to A3 in the new time window, so as to realize self-adaptive updating of the defense strategy according to comparison, thereby ensuring that the defense strategy of the APT attack dynamic defense system is always in a 'moderately safe' state and reducing unnecessary resource consumption.

Example 3

On the basis of the above embodiments, in order to further ensure the secure communication of the normal user, the embodiments of the present invention further provide a local area network secure communication protocol based on SM3 and SM4, the normal user accesses the server through the client according to the local area network secure communication protocol based on SM3 and SM4, and realizes the stream processing operation after the normal data enter the network by means of the control center of the SDN; then, the control center changes the packet header of the normal data and allocates a path for the normal user so that the normal user can normally access the target server to use the normal service provided by the server.

As shown in fig. 8, as an implementation manner, the lan security communication protocol based on SM3 and SM4 specifically includes:

s801: the client generates a first random number, hashes the first random number by using an SM3 algorithm to obtain a random number A, encrypts the random number A by using a first shared key (key) and then sends the encrypted random number A to the server, so that the server can decrypt the encrypted random number A by using the first shared key after receiving the encrypted random number A;

s802: the server generates a second random number, hashes the second random number by adopting an SM3 algorithm to obtain a random number B, and hashes the random number A Said random number B, server identity (ID _B ) And a timestamp (T) _B ) As the first plaintext, a private key (sign_e) corresponding to the server identity is used _B ) Performing digital signature on the first plaintext to obtain a first digital signature result, performing hash processing on the first digital signature result by using an SM3 algorithm to obtain a first hash value, and then performing hash processing on the first plaintext, the first digital signature result, the first hash value and an identity certificate (Cert) of a server by using the first shared key _B ) Public key (sign_d) corresponding to server identity _B ) After encryption, sending the encrypted data to a client;

s803: after receiving the encrypted data, the client decrypts the encrypted data by using the first shared secret key, then marks the first digital signature result by using the identity certificate of the server in the decrypted result and the public key corresponding to the server identity, hashes the digital signature result in the decrypted result by using an SM3 algorithm to obtain a second hash value, and compares whether the first hash value in the decrypted result is consistent with the second hash value to determine whether the encrypted data is transmitted in error or tampered with; then the random number A, the random number B, the client Identity (ID) _A ) Timestamp (T) _A ) The private key (sign_e) corresponding to the client identity is used as the second plaintext with the key information PWA _A ) Digitally signing the second plaintext to obtain a second digital signature result, hashing the second digital signature result using an SM3 algorithm to obtain a third hash value, and then hashing the second plaintext, the second digital signature result, the third hash value, a client identity certificate (Cert) using the first shared key _A ) Public key (sign_d) corresponding to customer service identity _A ) After encryption, sending the encrypted data to a server;

s804: after receiving the encrypted data, the server decrypts the encrypted data by using the first shared key, then uses the identity certificate of the client in the decrypted result and the public key corresponding to the identity of the client to check the second digital signature result, uses the SM3 algorithm to hash the second digital signature result in the decrypted result to obtain a fourth hash value, and compares whether the third hash value in the decrypted result is consistent with the fourth hash value to determine whether the encrypted data is transmitted in error or tampered with. So far, both sides' identities have proved to be trusted, then the shared secret key can be generated at the next verification, and the identity authentication process is finished.

S805: the server generates key information PWB, and uses the key information PWA and the key information PWB (PW in fig. 8 _{F_A} ) Generating a second shared secret key according to a secret key generation mode agreed in advance to serve as a shared secret key used next time and storing the second shared secret key into a database; the key information PWB, the user name ID of the client for accessing the server, is then used with the first shared key _{F_A} Sum password PW _A ' encrypting and then sending to the client;

s806: after receiving the encrypted data, the client decrypts the encrypted data by using the first shared key, and uses the user name ID in the decryption result _{F_A} Sum password PW _A ' log in the server and interact with the server; the interactive data is encrypted and transmitted by an SM4 algorithm by adopting the first shared key; and generating a second shared key as a shared key for the next use according to a key generation mode agreed in advance by using the key information PWA and the key information PWB.

In the above process, it can be seen that in the identity authentication stage, the protocol mainly adopts public key cryptography to perform entity authentication, and is specifically implemented through a digital signature algorithm, and meanwhile, a bidirectional authentication mode is adopted, so that the accessed server is required to prove the identity of the server, and the client is prevented from disguising and deception of an attacker. The encryption algorithm is adopted to ensure the confidentiality of the information, the hash function is adopted to ensure the integrity of the information, and the encryption-before-hash method is selected, so that the integrity of the message is checked during processing, the time waste of processing the message with transmission errors is avoided, the decryption process of invalid information is greatly reduced, and the processing efficiency is remarkably improved. In addition, by adding the time stamp after the information is transmitted, replay attack in the protocol communication process is effectively avoided.

Furthermore, the embodiment of the invention also enhances the credibility and the safety of each identity authentication through identity updating.

For users with the same identity, the user is difficult to ensure that the user always keeps the purity, and the condition of identity theft cannot be avoided, so that the identity is updated effectively in time, and the probability of identity authentication errors can be greatly reduced. The frequency of the user identity update is mainly set according to actual conditions.

For example, for a service with higher confidentiality and security requirements, it may be set that each time a call is interacted, both parties set the identity used by the customer at the next call, so that a one-at-a-time identity similar to a one-at-a-time secret is a safer protection manner. For the occasion with lower safety requirement, the scheme of one identity at a time has higher implementation cost, and the identity can be updated after the fixed time or the fixed interaction times are selected, and the fixed time or the interaction times are protected or randomly selected.

For the updated features, the decision is made based primarily on the identity information currently in use. If the digital signature and the identity information such as the identity of the client, the identity of the server, etc. are used in the above protocol, it is necessary to update the signing key and the verification key of the digital signature, and update the corresponding identity certificate. Meanwhile, the identity of the client and the identity of the server can be updated, a digital sequence or more complex irregular sequences are used as identity names, and the identity names are updated every time when the identity is updated, so that the safety of a protocol is improved.

The local area network security communication protocol based on SM3 and SM4 in the embodiment of the invention mainly considers that a security communication scheme is established for the client and the server, and after the server accurately identifies the identity of the normal user and authenticates the identity validity of the normal user, the server sends the user name and the password required for logging in the FTP server to the normal user through encryption transmission, so that the normal user can realize security communication with the server through the FTP service and normally access the internal data of the server.

Example 4

The embodiment of the invention also provides an APT attack dynamic defense system based on SDN, which comprises the following steps:

the IPS and honey cooperative defense unit is used for forming an IPS and honey cooperative defense layer for filtering attack data through matching of attack features in the IPS and honey cooperative defense layer, attracting the attack data to a honey host for the honey host to collect the attack features and sending the attack features to a data processing center for analysis and learning, and the data processing center feeds back analysis and learning results to the IPS;

the deception space defense unit is used for forming a deception space defense layer, and performing secondary blocking and early warning on attack data bypassing the IPS and honey tank cooperative defense layer by utilizing a complex topological structure and deception host space in the deception space defense layer;

A dynamic defense unit, configured to form a dynamic defense layer, where an IP address of an internal network is dynamically allocated based on a dynamic IP hopping policy of an SDN so that an attacker who bypasses the spoofed spatial defense layer and then enters the internal network cannot find a target server;

the defending layers formed by the three defending units are respectively from the shallow layer to the deep layer in sequence: IPS and honeypot co-defense, spoof spatial defense, and dynamic defense.

It should be noted that, the dynamic APT attack defense system based on SDN provided by the embodiment of the present invention is mainly for the above method embodiments, and the functions thereof may specifically refer to the above method embodiments, which are not described herein again.

Aiming at the dissymmetry of time, cost and the like of both sides of network space attack and defense, in particular to the problem of huge security threat caused by APT attack on network space, in order to reduce the dissymmetry advantage of an attacker in the attack and defense process and improve the network attack defense capability of a defender, the invention builds an APT attack dynamic defense system from 3 layers such as a network layer, a platform layer and a data layer on the basis of SDN technology and on the basis of mobile target defense technology and on the basis of adopting an intrusion defense system (IntrusionPrevention System, IPS), a honeypot and a spoofed space technology to defend APT basic attack. Performing network reshaping through an OpenFlow switch by using SDN technology to realize dynamic jump of an IP address; by constructing a diversified operation platform, platform dynamic migration aiming at APT attack is realized; dynamic encryption storage of core data is realized by means of a dynamic key generation algorithm and an SM4 cryptographic algorithm; meanwhile, a self-adaptive defense strategy selection method based on a sliding window is designed aiming at the problem of dynamic defense system resource consumption, so that the system can adaptively change the defense strategy according to the attack intensity, and the resource consumption in the defense process is greatly reduced while APT attack is effectively resisted. In addition, a local area network security communication protocol based on SM3 and SM4 algorithms is further designed to ensure the security access of normal users to the server.

With the rapid development of informatization and intelligence, the network space is increasingly closely related to the real space, and the harm of network attack is also extended to the personal safety of society, property and even citizens from the prior pure network safety. The contradiction between the increasing demands for network security and the lagged unbalanced network security technology makes the APT attack dynamic defense system designed by the invention have wide application, and foreseeable application scenarios include but are not limited to the following three types: 1) Government, military intranet. 2) An enterprise local area network. 3) Campus network.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (6)

1. The APT attack dynamic defense method based on SDN is characterized in that three defense layers are arranged, and the three defense layers are respectively arranged from a shallow layer to a deep layer in sequence: IPS and honey pot cooperative defense layer, deception space defense layer and dynamic defense layer;

In the IPS and honey pot cooperative defense layer, the IPS filters attack data through attack feature matching, attracts the attack data to a honey pot host for the honey pot host to collect the attack features and send the attack features to a data processing center for analysis and learning, and the data processing center feeds back analysis and learning results to the IPS;

in the deception space defense layer, utilizing a complex topological structure and deception host space to perform secondary blocking and early warning on attack data bypassing the IPS and honey pot cooperative defense layer;

in the dynamic defense layer, dynamically distributing the IP address of the internal network based on the dynamic IP jump strategy of SDN so that an attacker entering the internal network after bypassing the spoofed space defense layer cannot find a target server; the dynamic IP hopping strategy based on SDN specifically comprises the following steps:

after the external network user enters the firewall, the external network access data is sent to a control host in the control layer through an OF switch in the forwarding layer;

the control host converts the external network access data forwarded by the OF switch according to a southbound interface OpenFlow protocol;

processing and analyzing the converted data stream content by using a stream processing module in a control layer, wherein the processing and analyzing specifically comprises the following steps: inquiring a source IP address and a destination IP address of the external network access data according to the data stream content, and accessing a dynamic processing module in a control layer based on a dynamic host configuration protocol;

The method comprises the steps of inquiring and modifying the source IP address and the destination IP address of the external network access data by using a dynamic processing module, and specifically comprises the following steps: changing the source IP and the destination IP address of the access data of the external network into the source IP address and the destination IP address in the internal network of the accessed system, and storing the modified content in an information storage module in the control layer; inquiring whether a target host corresponding to a source IP address and a destination IP address exists in the intranet, and if so, executing the subsequent steps; otherwise, selecting two unassigned or occupied virtual IP addresses from the address pool SA, assigning the two virtual IP addresses to an intranet host, and executing subsequent steps;

the SDN control center sends the data packet back to the accessed system, and the OF exchanger flows according to the configured path and reaches the target host;

in the process of executing the steps, continuously checking the time stamp of the Data group in the liveList by using a dynamic processing module, and if the time difference between the time stamp and the current moment is greater than or equal to a set jump period interval, carrying out dynamic jump on the IP address of the host corresponding to the Data group; wherein, a plurality of Data groups are stored in the liveList; the Data group is established after the first communication connection between the host and the server for adopting Storing information of both communication parties in a form;the source routing information is represented by a list of routes,which represents the destination routing information and,Trepresenting a time stamp;

and checking a specified duration in an 'idle_timeout' option in a flow table by using a dynamic processing module, deleting the flow table, terminating communication between a host and a server, and removing a corresponding Data group from a liveList if the time difference between the last referenced time of the flow table and the current time is greater than or equal to the specified duration.

2. The SDN-based APT attack dynamic defense method of claim 1, further comprising: in the dynamic defense layer, if an attacker finds a target server, reconstructing a software and hardware platform of the target server by using a dynamic platform strategy based on state migration so that the attacker cannot perform target stealing operation; the dynamic platform strategy based on state migration specifically comprises the following steps:

constructing a platform pool, wherein any two platforms in the platform pool are different in at least one platform attribute, and the platform attribute comprises an operating system and version thereof, a CPU architecture and a platform data format;

if the attack risk of the currently online platform A is detected, enabling the platform A to enter an offline state, and enabling the offline state platform to only process and complete the existing tasks on the platform without receiving new task requests;

Selecting a platform B different from the platform A from the platform pool to be online to receive a new task request;

after the platform A in the off-line state completes the existing task, the platform A is subjected to reset processing.

3. The SDN-based APT attack dynamic defense method of claim 2, further comprising: in the dynamic defense layer, if an attacker bypasses the dynamic IP jump strategy based on SDN and the dynamic platform strategy based on state migration, the dynamic data strategy based on encryption storage is utilized to encrypt and store important data in the target server, and the data encryption key is dynamically updated so that the attacker cannot decrypt the target data to obtain real data information after stealing the target data; the dynamic data strategy based on encryption storage specifically comprises the following steps:

generating an encryption key by a dynamic key generation algorithm in a file storage server, encrypting a file M by an SM4 algorithm by using the encryption key to generate a ciphertext C, and storing the encryption key in a key management server;

when a file visitor sends a request for downloading a file M to a file storage server, the file storage server sends a corresponding ciphertext C to the file visitor together with the encryption key encrypted by the SM2 algorithm;

The document visitor needs to decrypt the encrypted encryption key, and then adopts the encryption key to decrypt the ciphertext C to obtain the document M.

4. The SDN-based APT attack dynamic defense method of claim 3, further comprising: judging the attack level of an attacker by utilizing an SDN-based control center, and then utilizing a sliding window-based self-adaptive defense strategy to realize self-adaptive jump among the SDN-based dynamic IP jump strategy, the state migration-based dynamic platform strategy and the encrypted storage-based dynamic data strategy; the self-adaptive defense strategy based on the sliding window specifically comprises the following steps:

step A1: calculating by using the formula (1) to obtain a time windowmAny point in time of (a)iAttack intensity prediction value of (2)；

(1)

wherein ,respectively represent the attack strength predicted value at the corresponding time pointIs a weighted weight of (2);

step A2: calculating a time pointiThe attack intensity is a difference value between the true value and the predicted value, and the difference value is compared with a preset threshold value;

step A3: if the difference value is larger than a preset threshold value, an alarm is sent out to improve the defending grade, and the defending strategy is dynamically updated according to the defending grade; otherwise, the defense level remains unchanged;

Step A4: the time window is updated and then the above steps A1 to A3 are performed in the new time window.

5. The SDN-based APT attack dynamic defense method of any one of claims 1 to 4, further comprising: the normal user accesses the server through the client according to a local area network safety communication protocol based on SM3 and SM 4; the local area network security communication protocol based on SM3 and SM4 specifically comprises the following steps:

step B1: the client generates a first random number, hashes the first random number by adopting an SM3 algorithm to obtain a random number A, encrypts the random number A by using a first shared key and then sends the encrypted random number A to the server so that the server can decrypt the encrypted random number A by adopting the first shared key after receiving the encrypted random number A;

step B2: the server generates a second random number, hashes the second random number by using an SM3 algorithm to obtain a random number B, takes the random number A, the random number B, a server identity and a time stamp as a first plaintext, digitally signs the first plaintext by using a private key corresponding to the server identity to obtain a first digital signature result, hashes the first digital signature result by using an SM3 algorithm to obtain a first hash value, encrypts the first plaintext, the first digital signature result, the first hash value, an identity certificate of the server and a public key corresponding to the server identity by using the first shared key, and then sends the encrypted first plaintext, the first hash value, the identity certificate of the server and the public key corresponding to the server identity to the client;

Step B3: after receiving the encrypted data, the client decrypts the encrypted data by using the first shared secret key, then marks the first digital signature result by using the identity certificate of the server in the decrypted result and the public key corresponding to the server identity, hashes the digital signature result in the decrypted result by using an SM3 algorithm to obtain a second hash value, and compares whether the first hash value in the decrypted result is consistent with the second hash value to determine whether the encrypted data is transmitted in error or tampered with; then taking a random number A, a random number B, a client identity, a time stamp and key information PWA in a decryption result as a second plaintext, carrying out digital signature on the second plaintext to obtain a second digital signature result, carrying out hash processing on the second digital signature result by using an SM3 algorithm to obtain a third hash value, and then encrypting the second plaintext, the second digital signature result, the third hash value, an identity certificate of the client and a public key corresponding to a customer service identity by using the first shared key and then sending the encrypted second plaintext, the third hash value and the public key corresponding to the customer service identity to a server;

step B4: after receiving the encrypted data, the server decrypts the encrypted data by using the first shared secret key, then uses the identity certificate of the client in the decrypted result and the public key corresponding to the identity of the client to check the second digital signature result, uses the SM3 algorithm to hash the second digital signature result in the decrypted result to obtain a fourth hash value, and compares whether the third hash value in the decrypted result is consistent with the fourth hash value to determine whether the encrypted data is transmitted in error or tampered with;

Step B5: the server generates key information PWB, and generates a second shared key as a shared key used next time by using the key information PWA and the key information PWB according to a preset key generation mode and stores the second shared key into a database; the key information PWB, the user name ID of the client for accessing the server, is then used with the first shared key _{F_A} Sum password PW _A ' encrypting and then sending to the client;

step B6: after receiving the encrypted data, the client decrypts the encrypted data by using the first shared key, and uses the user name ID in the decryption result _{F_A} Sum password PW _A ' log in the server and interact with the server; the interactive data is encrypted and transmitted by an SM4 algorithm by adopting the first shared key; and generating a second shared key as a shared key for the next use according to a key generation mode agreed in advance by using the key information PWA and the key information PWB.

6. An APT attack dynamic defense system based on SDN, comprising:

the IPS and honey cooperative defense unit is used for forming an IPS and honey cooperative defense layer for filtering attack data through matching of attack features in the IPS and honey cooperative defense layer, attracting the attack data to a honey host for the honey host to collect the attack features and sending the attack features to a data processing center for analysis and learning, and the data processing center feeds back analysis and learning results to the IPS;

The deception space defense unit is used for forming a deception space defense layer, and performing secondary blocking and early warning on attack data bypassing the IPS and honey tank cooperative defense layer by utilizing a complex topological structure and deception host space in the deception space defense layer;

a dynamic defense unit, configured to form a dynamic defense layer, where an IP address of an internal network is dynamically allocated based on a dynamic IP hopping policy of an SDN so that an attacker who bypasses the spoofed spatial defense layer and then enters the internal network cannot find a target server;

the defending layers formed by the three defending units are respectively from the shallow layer to the deep layer in sequence: IPS and honey pot cooperative defense layer, deception space defense layer and dynamic defense layer;

the dynamic IP hopping strategy based on SDN specifically comprises the following steps:

after the external network user enters the firewall, the external network access data is sent to a control host in the control layer through an OF switch in the forwarding layer;

the control host converts the external network access data forwarded by the OF switch according to a southbound interface OpenFlow protocol;

processing and analyzing the converted data stream content by using a stream processing module in a control layer, wherein the processing and analyzing specifically comprises the following steps: inquiring a source IP address and a destination IP address of the external network access data according to the data stream content, and accessing a dynamic processing module in a control layer based on a dynamic host configuration protocol;

The method comprises the steps of inquiring and modifying the source IP address and the destination IP address of the external network access data by using a dynamic processing module, and specifically comprises the following steps: changing the source IP and the destination IP address of the access data of the external network into the source IP address and the destination IP address in the internal network of the accessed system, and storing the modified content in an information storage module in the control layer; inquiring whether a target host corresponding to a source IP address and a destination IP address exists in the intranet, and if so, executing the subsequent steps; otherwise, selecting two unassigned or occupied virtual IP addresses from the address pool SA, assigning the two virtual IP addresses to an intranet host, and executing subsequent steps;

the SDN control center sends the data packet back to the accessed system, and the OF exchanger flows according to the configured path and reaches the target host;

in the process of executing the steps, the dynamic processing module is utilized to continuously checkIf the time difference between the time stamp and the current moment is greater than or equal to a set jump period interval, carrying out dynamic jump on the IP address of the host corresponding to the Data group; wherein, a plurality of Data groups are stored in the liveList; the Data group is established after the first communication connection between the host and the server for adopting Storing information of both communication parties in a form;the source routing information is represented by a list of routes,which represents the destination routing information and,Trepresenting a time stamp;

and checking a specified duration in an 'idle_timeout' option in a flow table by using a dynamic processing module, deleting the flow table, terminating communication between a host and a server, and removing a corresponding Data group from a liveList if the time difference between the last referenced time of the flow table and the current time is greater than or equal to the specified duration.